Hi everyone,
I have a PBX hosted on an VPS, and due to the fact that VoIP is particularly sensible to NAT problems, I need a setup like the following.
IP Phone <---> MikroTik RB960PGS <---> VPS

Let's say that my Public (Static) IP is 1.2.3.4, and so I need to create a VLAN and SUBNET for IP Phones. My VPN Servers provides DHCP, so clients are identified in this way.
IP Phone 1 => 192.168.42.5 | IP Phone 2 => 192.168.42.6 | IP Phone 3 => 192.168.42.7

I also need to have a main network for PCs (i.e. 192.168.10.0/24), for which Mikrotik should provide IP address through DHCP. All subnets needs to access internet, bue they have to be isolated. VoIP subnet DOES NOT need IP addresses from Mikrotik as VPN Server is the DHCP server.

My IP Phones are connected via ethernet cable (e.g. Port 2 and 3) to Mikrotik.

I successfully connected Mikrotik to my VPN server, but I can't figure out how to bridge VPN over eth ports. As I said, no routing is requested from Mikrotik, as it's what I'm trying to avoid.
Goal is reached when my IP Phones will be in the same subnet as my PBX in the cloud.

I tried to be as clear as possible, I am a newbie to Mikrotik world.
Thank you all in advance, have a nice day!

There is a difference between "routing with no NAT involved" and "bridging". 9 out of 10 dentists recommend the former when it comes to tunneling.

In your case, it is even more complex as from your network diagram I incur that you want to terminate the VPN directly on the VPS running the PBX, i.e. with no Mikrotik CHR running on a separate VPS next to the PBX one. And that's the issue - to my knowledge, none of the two Mikrotik's L2-tunneling mechanisms (EoIP and BCP) is directly supported in Linux, which uses gretap instead of EoIP and L2TPv3 instead of BCP. So unless you want to venture into kernel patching, to date you can only use a userspace daemon implementing EoIP.

Hence I'd recommend to create a local IP subnet for the VoIP phones, with its own DHCP server, and set a VPN with routing between that subnet and the local subnet of the PBX to which the NAT rules would not apply. I also suspect you may want more than one site with VoIP phones and a Mikrotik, so the VPN will have to provide also for routing the voice streams between those sites (unless the PBX always forces itself into the media path).

If you insist on L2 tunneling, either spawn a CHR next to the PBX and use a private VLAN between the two (if the VPS hosting offers such a service!) and set up an EoIP tunnel between the 960 and the CHR, or use the userspace EoIP daemon referenced above on the PBX. In both cases, the EoIP transport packets would then be routed via the VPN connection, the EoIP interface at the Mikrotik end would be bridged with the two ethernet ports, and at the PBX side an IP subnet and DHCP server would be linked to the EoIP interface if it runs on the PBX itself, or the IP configuration and DHCP server will be attached to the interface connected to the private VLAN at the PBX and the interface connected to the private VLAN will be bridged with the EoIP interface on the CHR.

Hi @sindy! Thanks for your quick reply.

So, right now the PBX (AWS EC2 instance with CentOS, PBX System is VitalPBX) needs to be accessible from one site only, and I can see two possible scenarios.

EC2 hosts VPN Server (actual scenario), Mikrotik would connect and share with phones.
Mikrotik hosts VPN Server (inverse scenario), EC2 would connect, but I don't really like this solution.
I opened this topic, because I encourage lots of problem with VoIP audio, lots of time phones ring but no audio on the call, and it appears to be a NAT problem (as far as I read on the Wiki).

I need the shortest path between my phones and the PBX, any kind of suggestion is welcome. Best VPN protocol for this purpose is a protocols that works over UDP.
If IP Phones and PBX in the same subnet is not a possible solution (I don't have time/knowledge to do kernel patching), I'm kindly asking for an optimal solution, and instruction / resources on how to apply it on my MT.

Thank you again for your help.

EC2 hosts VPN Server (actual scenario), Mikrotik would connect and share with phones.
Mikrotik hosts VPN Server (inverse scenario), EC2 would connect, but I don't really like this solution.

The roles of IPsec responder ("server") and initiator ("client") in establishing the L3 VPN tunnel are not important for the tunnel operation so you can stay with what you have. Only if you would insist on having L2 tunnel today, you would have to spawn another VPS running Mikrotik CHR, and it would only be possible if AWS EC2 provides virtual LANs between the VPSs of the same customer.

I opened this topic, because I encourage lots of problem with VoIP audio, lots of time phones ring but no audio on the call, and it appears to be a NAT problem (as far as I read on the Wiki).

To be honest I don't get your scenario much. If you only call from one phone connected to the RB960PGS to another such phone, you definitely will get rid of NAT-related problems by using a tunnel. But if you actually have the PBX connected to some uplink SIP provider, your overall configuration (routing of the phones' traffic on the RB960 and settings of the PBX) must play together in order to make the calls to the outside world work properly because in these calls, the NAT will still be present. Depending on what the PBX and the particular SIP provider can do, the necessary setup maybe anywhere on the scale from easy to impossible.
So first please confirm whether my assumption regarding a SIP uplink is correct.

Best VPN protocol for this purpose is a protocols that works over UDP.

I would go even further, the only possible protocol for this purpose. Which means IPsec as things stand now.

If IP Phones and PBX in the same subnet is not a possible solution (I don't have time/knowledge to do kernel patching), I'm kindly asking for an optimal solution, and instruction / resources on how to apply it on my MT.

For that, I need a complete export of the current configuration of the RB960PGS, following the anonymisation hint in my automatic signature right below.

If there is no sound in a voip connection check if STUN is working.

https://www.3cx.com/blog/voip-howto/stun-voip-1/

External STUN's are mostly on UDP 7070 up to UDP 7099